Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.11362.dll

Overview

General Information

Sample Name:SecuriteInfo.com.W32.AIDetect.malware1.11362.dll
Analysis ID:544194
MD5:43d4b9318439f6926dfbcf46a5291621
SHA1:06581c15c15cf8345bef1cea5b32fbc7d7d71e03
SHA256:b06b7b05e576d19367c383aabd9c8fed8cd5e7955e2f1493d326b9b5306c7439
Tags:dllDridex
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Tries to delay execution (extensive OutputDebugStringW loop)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Entry point lies outside standard sections
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6752 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 4756 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6324 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 6712 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 696 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    00000004.00000002.334490741.000000006ECF1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000004.00000000.301040628.000000006ECF1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        00000004.00000000.303124420.000000006ECF1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.rundll32.exe.6ecf0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            4.0.rundll32.exe.6ecf0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              4.0.rundll32.exe.6ecf0000.5.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                1.2.loaddll32.exe.6ecf0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Suspicious Call by OrdinalShow sources
                  Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4756, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1, ProcessId: 6324

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 4.2.rundll32.exe.6ecf0000.2.unpackMalware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dllVirustotal: Detection: 24%Perma Link
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dllReversingLabs: Detection: 25%
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307864938.0000000000CF6000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307347881.0000000004C00000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307414987.0000000000CF6000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.323657432.0000000000782000.00000004.00000001.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.307015548.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308326568.0000000000CF0000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307409840.0000000000CF0000.00000004.00000001.sdmp
                  Source: Binary string: combase.pdbL source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb\1 source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdb$ source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdbJ source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdbW source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb_0 source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.307420438.0000000000CFC000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307772141.0000000000CFC000.00000004.00000001.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: setupapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdbP source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll
                  Source: Binary string: shcore.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000008.00000003.308326568.0000000000CF0000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307409840.0000000000CF0000.00000004.00000001.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: shell32.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.307015548.000000004B280000.00000004.00000001.sdmp
                  Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb^ source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdbt source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdbx source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: wsspicli.pdbn source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: setupapi.pdbF source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdbr source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000008.00000003.307420438.0000000000CFC000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307772141.0000000000CFC000.00000004.00000001.sdmp
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb" source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000008.00000003.307864938.0000000000CF6000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307414987.0000000000CF6000.00000004.00000001.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: sechost.pdb` source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorIPs: 144.91.122.102:443
                  Source: Malware configuration extractorIPs: 85.10.248.28:593
                  Source: Malware configuration extractorIPs: 185.4.135.27:5228
                  Source: Malware configuration extractorIPs: 80.211.3.13:8116
                  Source: Joe Sandbox ViewASN Name: TOPHOSTGR TOPHOSTGR
                  Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                  Source: Joe Sandbox ViewIP Address: 185.4.135.27 185.4.135.27
                  Source: Joe Sandbox ViewIP Address: 85.10.248.28 85.10.248.28
                  Source: WerFault.exe, 00000008.00000003.322752355.0000000004B82000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000002.324473883.0000000004B82000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                  Source: loaddll32.exe, 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.301065037.000000006ED0F000.00000002.00020000.sdmpString found in binary or memory: http://www.n4pkg6fy8o.gaDVarFileInfo$

                  E-Banking Fraud:

                  barindex
                  Yara detected Dridex unpacked fileShow sources
                  Source: Yara matchFile source: 4.2.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.rundll32.exe.6ecf0000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.loaddll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.334490741.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.301040628.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.303124420.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY

                  System Summary:

                  barindex
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dllBinary or memory string: OriginalFilenameIha.dllD vs SecuriteInfo.com.W32.AIDetect.malware1.11362.dll
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 696
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6ED00730
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6ED09370
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6ECFA4E8
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6ECF1494
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6ECF8428
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6ED0143C
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6ED02234 NtDelayExecution,
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6ED02820 NtAllocateVirtualMemory,
                  Source: C:\Windows\System32\loaddll32.exeProcess Stats: CPU usage > 98%
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dllVirustotal: Detection: 24%
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dllReversingLabs: Detection: 25%
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll"
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 696
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6324
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4413.tmpJump to behavior
                  Source: classification engineClassification label: mal76.troj.evad.winDLL@6/6@0/4
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307864938.0000000000CF6000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307347881.0000000004C00000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307414987.0000000000CF6000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.323657432.0000000000782000.00000004.00000001.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.307015548.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.308326568.0000000000CF0000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307409840.0000000000CF0000.00000004.00000001.sdmp
                  Source: Binary string: combase.pdbL source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb\1 source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdb$ source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdbJ source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdbW source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb_0 source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.307420438.0000000000CFC000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307772141.0000000000CFC000.00000004.00000001.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: setupapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdbP source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.11362.dll
                  Source: Binary string: shcore.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000008.00000003.308326568.0000000000CF0000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307409840.0000000000CF0000.00000004.00000001.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: shell32.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.307015548.000000004B280000.00000004.00000001.sdmp
                  Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb^ source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdbt source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdbx source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: wsspicli.pdbn source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: setupapi.pdbF source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdbr source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000008.00000003.307420438.0000000000CFC000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307772141.0000000000CFC000.00000004.00000001.sdmp
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb" source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.312997657.0000000005040000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000008.00000003.307864938.0000000000CF6000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307414987.0000000000CF6000.00000004.00000001.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.312989033.0000000004EC1000.00000004.00000001.sdmp
                  Source: Binary string: sechost.pdb` source: WerFault.exe, 00000008.00000003.313002553.0000000005046000.00000004.00000040.sdmp
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6ECFF6A8 push esi; mov dword ptr [esp], 00000000h
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .rdata
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Tries to delay execution (extensive OutputDebugStringW loop)Show sources
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: OutputDebugStringW count: 1181
                  Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 1180
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6ED00730 GetTokenInformation,GetSystemInfo,GetTokenInformation,
                  Source: Amcache.hve.8.drBinary or memory string: VMware
                  Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.8.drBinary or memory string: VMware7,1
                  Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: WerFault.exe, 00000008.00000002.324457894.0000000004B70000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.322684693.0000000004B70000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.me
                  Source: Amcache.hve.8.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                  Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                  Source: WerFault.exe, 00000008.00000002.324337692.0000000004B30000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`
                  Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6ECF6D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6ED03138 RtlAddVectoredExceptionHandler,
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
                  Source: loaddll32.exe, 00000001.00000002.692606291.0000000001A00000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.303018264.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.300956661.0000000002FA0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                  Source: loaddll32.exe, 00000001.00000002.692606291.0000000001A00000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.303018264.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.300956661.0000000002FA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: loaddll32.exe, 00000001.00000002.692606291.0000000001A00000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.303018264.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.300956661.0000000002FA0000.00000002.00020000.sdmpBinary or memory string: Progman
                  Source: loaddll32.exe, 00000001.00000002.692606291.0000000001A00000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.303018264.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.300956661.0000000002FA0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                  Source: C:\Windows\System32\loaddll32.exeCode function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                  Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6ECF6D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                  Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drBinary or memory string: c:\users\user\desktop\procexp.exe
                  Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drBinary or memory string: procexp.exe

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery31Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 544194 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 22/12/2021 Architecture: WINDOWS Score: 76 18 185.4.135.27 TOPHOSTGR Greece 2->18 20 85.10.248.28 HETZNER-ASDE Germany 2->20 22 2 other IPs or domains 2->22 24 Found malware configuration 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Yara detected Dridex unpacked file 2->28 30 2 other signatures 2->30 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 32 Tries to delay execution (extensive OutputDebugStringW loop) 9->32 12 cmd.exe 1 9->12         started        process6 process7 14 rundll32.exe 12->14         started        process8 16 WerFault.exe 23 9 14->16         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SecuriteInfo.com.W32.AIDetect.malware1.11362.dll24%VirustotalBrowse
                  SecuriteInfo.com.W32.AIDetect.malware1.11362.dll26%ReversingLabsWin32.Worm.Cridex

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  4.2.rundll32.exe.6ecf0000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                  4.0.rundll32.exe.6ecf0000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                  4.0.rundll32.exe.6ecf0000.5.unpack100%AviraHEUR/AGEN.1144420Download File
                  4.2.rundll32.exe.7d0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  1.2.loaddll32.exe.d90000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  1.2.loaddll32.exe.6ecf0000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                  4.0.rundll32.exe.7d0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  4.0.rundll32.exe.7d0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.n4pkg6fy8o.gaDVarFileInfo$0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://upx.sf.netAmcache.hve.8.drfalse
                    high
                    http://www.n4pkg6fy8o.gaDVarFileInfo$loaddll32.exe, 00000001.00000002.693101054.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.301065037.000000006ED0F000.00000002.00020000.sdmpfalse
                    • Avira URL Cloud: safe
                    low

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    185.4.135.27
                    unknownGreece
                    199246TOPHOSTGRtrue
                    85.10.248.28
                    unknownGermany
                    24940HETZNER-ASDEtrue
                    80.211.3.13
                    unknownItaly
                    31034ARUBA-ASNITtrue
                    144.91.122.102
                    unknownGermany
                    51167CONTABODEtrue

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:544194
                    Start date:22.12.2021
                    Start time:20:34:01
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 7m 6s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:SecuriteInfo.com.W32.AIDetect.malware1.11362.dll
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:23
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal76.troj.evad.winDLL@6/6@0/4
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 53.8% (good quality ratio 51.4%)
                    • Quality average: 78.6%
                    • Quality standard deviation: 27.7%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                    • Found application associated with file extension: .dll
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded IPs from analysis (whitelisted): 20.42.73.29
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f87e517ca7ba4e3ba229cb2ffa35583e25899a_82810a17_1ad75c0f\Report.wer
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.9222363616068773
                    Encrypted:false
                    SSDEEP:192:4miE0oXSN/HBUZMX4jed+yL/u7sGS274ItWc:ViyXSN/BUZMX4je3L/u7sGX4ItWc
                    MD5:CDBEF812024E2E1A36A4FE1846B67068
                    SHA1:4665E12F1152E0C07821A73B2E9934274CB58624
                    SHA-256:8C4EAC5F11909246248BCD4E4B6FC6B30B856A8A8C72D7445F5F34EB9E0A1BFA
                    SHA-512:1A3D7F9ECAB3DE733B0DC929106FF20D226785AB28403BDA1DA4BCB23AF65187E0366C12E87BE865E8A63988E29782A3CB8B2432C9A57678E35162FD324E4B06
                    Malicious:false
                    Reputation:low
                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.7.0.7.7.0.7.4.9.9.8.5.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.7.0.7.7.1.2.0.4.6.7.3.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.3.9.3.8.5.1.c.-.f.4.1.9.-.4.e.f.c.-.9.a.f.f.-.1.4.a.7.5.1.4.b.1.3.7.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.0.2.e.e.e.3.7.-.e.9.b.4.-.4.2.6.8.-.b.0.9.6.-.f.3.b.a.b.8.8.d.4.0.c.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.b.4.-.0.0.0.1.-.0.0.1.c.-.5.3.f.c.-.b.4.7.2.b.6.f.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4413.tmp.dmp
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 14 streams, Thu Dec 23 04:35:08 2021, 0x1205a4 type
                    Category:dropped
                    Size (bytes):43756
                    Entropy (8bit):2.139472296500077
                    Encrypted:false
                    SSDEEP:192:JW+KDgVEc6yLjO5SkbmQwB/eKaGyPCAl5JA71mzccYB3AMI33Yq:hS5LbpwB/5aGyPCAzJs1mzccxYq
                    MD5:726F7DFB2AE28150549639AC21BA4D43
                    SHA1:607E2C2C07BDCF0974819C42937456F5097002BC
                    SHA-256:1E3D0693B1E6AF37F2EEEE0C048673E18D3F45F30C7D56EB1632F47FFB0BACC6
                    SHA-512:34CC19013C01779619EE975ED24949FAD970EBB6605716B4CF32E78FE64F07008DF7D9573EE32B776D97D86EEE4174B0C22583E9ED926EFBF3C16DF4F18827DC
                    Malicious:false
                    Reputation:low
                    Preview: MDMP....... .......|..a.........................................-..........T.......8...........T...............$............................................................................................U...........B...... .......GenuineIntelW...........T...........u..a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AEA.tmp.WERInternalMetadata.xml
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8326
                    Entropy (8bit):3.690869333314738
                    Encrypted:false
                    SSDEEP:192:Rrl7r3GLNiqd067OgsG6YDo6EgmfT/CSsCprQ89ba5ysfH+m:RrlsNiqe6f6YM6EgmfT/CS5a5xfH
                    MD5:2A3D2B8E09AC194B63597EE85C79E92E
                    SHA1:EB1E1D40175BE420BD94D136BC7C71C0B79BB6F1
                    SHA-256:47579AE72C9A54D68DEC1AAD71A8E9AACBFCA7DA1411EC9BB1FC014B782FD0B3
                    SHA-512:F203B26566A7E752AE62A93722CE0A092FFE7B96929190020E994777F6E8289729BCD4664E0A50F5C5E9A39645CA5449CF4B6C0F7760E2E0E3A78B3AE14BCB98
                    Malicious:false
                    Reputation:low
                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.2.4.<./.P.i.d.>.......
                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D6B.tmp.xml
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4698
                    Entropy (8bit):4.4877009648952555
                    Encrypted:false
                    SSDEEP:48:cvIwSD8zsFJgtWI9CcWSC8BJCs8fm8M4JCdsDChFeo+q8/QQBR24SrSWd:uITffNVSNnCRJlxoVJDWWd
                    MD5:F8135692885414B84D256F717A796903
                    SHA1:95F9A7AFBD5B1B7ADDD488656B6A0AFF3F0F33E7
                    SHA-256:B6EBCF9CA1362EFA06D5FAC03FA9C05D99D53B057CEDCBF88725B75141687E7E
                    SHA-512:AA781381BBBD4224F37EE4887E50F6826327AD4F8BEBCF5E004815BE115A7F884ED27C1A18EAAB696582E95B99C7A20068D8F3C0F1ED4EFD44B809A46CA3C6EE
                    Malicious:false
                    Reputation:low
                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1309785" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                    C:\Windows\appcompat\Programs\Amcache.hve
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:MS Windows registry file, NT/2000 or above
                    Category:dropped
                    Size (bytes):1572864
                    Entropy (8bit):4.276053824421805
                    Encrypted:false
                    SSDEEP:12288:BxqtC8mFD7M/S+UdeiL/NA9DDY1tm1juUKzDTkAOCNr36uc5hPkPkZ:vqtC8mFD7M/S+UkO
                    MD5:5939F26615D7BB8628B14A9A7084D056
                    SHA1:E3C638401E93AFF4E14191BCBD69A1FD9B0F625B
                    SHA-256:94FA5148970DEFA008003BEE5925F7B4DD9916FDB2C6AB3712F7EDE7246408BD
                    SHA-512:B20C466041932758986CA552FE1BAAE62CC223C545C882D9CCD91C75ED8281E0F85D0CCE2F3F0422474CD2AC50E4E75C3C95733029D967E1F4665B3011293BF0
                    Malicious:false
                    Reputation:low
                    Preview: regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmJ.Ru..................................................................................................................................................................................................................................................................................................................................................V(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:MS Windows registry file, NT/2000 or above
                    Category:dropped
                    Size (bytes):24576
                    Entropy (8bit):4.032359811129686
                    Encrypted:false
                    SSDEEP:384:Bq5oQ5Rftx1vPJ4XMsFcnE7kgPBqX/Seq5QMVyi6+/Xl4Lk4uZd1DoXzn2Xvwvm:MomRftx1HJ4XJFcE7hBqXKeq5QMVyi6t
                    MD5:8AD05CBB05EA2F708F36F397C03509F1
                    SHA1:99319A049B54A63262E51B329E392C69DCC0388F
                    SHA-256:A5938E9E435CD75D12A55DCDD66FFB6B1D020622762DCEDF0E95A56BEC957E3A
                    SHA-512:CFC76D0840B0F66D95957FF1E99949E01D00DEB2EC2BFF967A76F479802030715DA8918355C7FA1823DCA3B18E3AC07D4D6B0A6FB22F7599CFDF0059E9BA5AC4
                    Malicious:false
                    Reputation:low
                    Preview: regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmJ.Ru..................................................................................................................................................................................................................................................................................................................................................V(HvLE.^......Y...........i.r.}....!iM+.`..........0................... ..hbin................p.\..,..........nk,...Tu.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...Tu........ ........................... .......Z.......................Root........lf......Root....nk ...Tu.....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

                    Static File Info

                    General

                    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.322437972026823
                    TrID:
                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                    • Generic Win/DOS Executable (2004/3) 0.20%
                    • DOS Executable Generic (2002/1) 0.20%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:SecuriteInfo.com.W32.AIDetect.malware1.11362.dll
                    File size:544768
                    MD5:43d4b9318439f6926dfbcf46a5291621
                    SHA1:06581c15c15cf8345bef1cea5b32fbc7d7d71e03
                    SHA256:b06b7b05e576d19367c383aabd9c8fed8cd5e7955e2f1493d326b9b5306c7439
                    SHA512:1cd1903a05030e394056ec5c23f4d08d8959ef349ffeaccbc61feb620724e4555c7e5fae7b40bedcae308681af79b9cb60f4b5d181d4e24d5ec2f547349cbe04
                    SSDEEP:6144:+D+RYf/Mv1UvT4vjYf/Glpov3KvfMvLo+jwHk3UryzU3+R7ff4evm35IQku4+pMl:+Dt2UAogoOwhx7nA4+pMAg
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

                    File Icon

                    Icon Hash:74f0e4ecccdce0e4

                    Static PE Info

                    General

                    Entrypoint:0x10004db0
                    Entrypoint Section:.rdata
                    Digitally signed:false
                    Imagebase:0x10000000
                    Subsystem:windows gui
                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0x61C2E245 [Wed Dec 22 08:31:01 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:0
                    File Version Major:5
                    File Version Minor:0
                    Subsystem Version Major:5
                    Subsystem Version Minor:0
                    Import Hash:e980d287af7ef0ccd616c6efb9daaae8

                    Entrypoint Preview

                    Instruction
                    inc eax
                    mov edx, 00000003h
                    cmpps xmm1, xmm0, 02h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    jmp 00007F7104C68C41h
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    push ebp
                    mov ebp, esp
                    push esi
                    push edi
                    push ebx
                    and esp, FFFFFFF8h
                    sub esp, 00000090h
                    mov eax, dword ptr [ebp+08h]
                    mov byte ptr [esp+00000083h], 00000064h
                    mov dword ptr [esp+70h], 02263442h
                    mov dword ptr [esp+44h], eax
                    call 00007F7104C6C7CAh
                    mov ecx, eax
                    mov edx, eax
                    mov esi, dword ptr [eax+3Ch]
                    movzx edi, word ptr [esp+0000008Ah]
                    mov bx, di
                    mov dword ptr [esp+40h], eax
                    mov eax, edi
                    xor eax, 0000E2E7h
                    mov word ptr [esp+3Eh], ax
                    mov al, byte ptr [esp+77h]
                    mov byte ptr [esp+3Dh], al
                    mov eax, dword ptr [esp+00000084h]
                    mov dword ptr [esp+38h], esi
                    mov si, word ptr [esp+3Eh]
                    mov word ptr [eax+eax+00000000h], si

                    Rich Headers

                    Programming Language:
                    • [IMP] VS2015 UPD1 build 23506
                    • [C++] VS2012 UPD1 build 51106
                    • [ASM] VS2012 build 50727
                    • [ASM] VS2012 UPD2 build 60315
                    • [LNK] VS2010 SP1 build 40219
                    • [EXP] VS2010 SP1 build 40219
                    • [RES] VS2015 UPD1 build 23506
                    • [IMP] VS2010 build 30319
                    • [ASM] VS2015 UPD1 build 23506
                    • [C++] VS2017 v15.5.4 build 25834
                    • [EXP] VS2012 UPD4 build 61030
                    • [C++] VS2008 build 21022
                    • [ASM] VS2010 SP1 build 40219

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x7c0290x60.rdata
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x7c08c0x78.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x2f0.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x850000x1138.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x60300x38.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x44.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .rdata0x10000x6b2e0x7000False0.391496930804data4.47906652106IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rdata0x80000x747db0x75000False0.316222622863data7.44059897898IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x7d0000x61900x5000False0.24609375data5.03782298504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                    .rsrc0x840000x2f00x1000False0.09033203125data0.789164600932IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x850000x11380x2000False0.2421875data4.12390144992IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_VERSION0x840600x290MS Windows COFF PA-RISC object fileEnglishUnited States

                    Imports

                    DLLImport
                    WINSPOOL.DRVEnumFormsW
                    ADVAPI32.dllRegCloseKey, QueryServiceStatusEx, AccessCheck
                    WS2_32.dllWSACleanup
                    USER32.dllGetWindowTextA
                    KERNEL32.dllCloseHandle, GetModuleHandleW, GetFileSize, OutputDebugStringA, IsDebuggerPresent, GetModuleFileNameW

                    Version Infos

                    DescriptionData
                    OriginalFilenameIha.dll
                    FileDescriptionOracle Call Interface
                    FileVersion2.3.7.0.0
                    Legal CopyrightCopyright Oracle Corporation 1979, 2001. All rights reserved.
                    CompanyNameOracle Corporation
                    Translation0x0409 0x04b0

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    No network behavior found

                    Code Manipulations

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Start time:20:35:00
                    Start date:22/12/2021
                    Path:C:\Windows\System32\loaddll32.exe
                    Wow64 process (32bit):true
                    Commandline:loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll"
                    Imagebase:0x2b0000
                    File size:116736 bytes
                    MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.693021141.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security
                    Reputation:moderate

                    General

                    Start time:20:35:00
                    Start date:22/12/2021
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
                    Imagebase:0xd80000
                    File size:232960 bytes
                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:20:35:01
                    Start date:22/12/2021
                    Path:C:\Windows\SysWOW64\rundll32.exe
                    Wow64 process (32bit):true
                    Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.11362.dll",#1
                    Imagebase:0x890000
                    File size:61952 bytes
                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.334490741.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000000.301040628.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000000.303124420.000000006ECF1000.00000020.00020000.sdmp, Author: Joe Security
                    Reputation:high

                    General

                    Start time:20:35:04
                    Start date:22/12/2021
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 696
                    Imagebase:0xe80000
                    File size:434592 bytes
                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    Code Analysis

                    Reset < >